alarsyo/nixos-config
alarsyo/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

services: use wildcard certificate

Browse source 
Should have done this a long time ago
This commit is contained in:
Antoine Martin 2021-07-13 00:57:33 +02:00
parent 64d479e2ce
commit f0e5e90c10
14 changed files with 37 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hosts/poseidon/default.nix
View file

@ -108,7 +108,6 @@ in
monitoring = { monitoring = {
enable = true; enable = true;
useACME = true;
domain = "monitoring.${config.networking.domain}"; domain = "monitoring.${config.networking.domain}";
}; };
@ -157,9 +156,6 @@ in
}; };
}; };
security.acme.acceptTerms = true;
security.acme.email = "antoine97.martin@gmail.com";
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.permitRootLogin = "no"; services.openssh.permitRootLogin = "no";

1
secrets/default.nix
View file

@ -14,6 +14,7 @@ with lib;
nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret; nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret; nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret; lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret;
gandiKey = lib.fileContents ./gandi-api-key.secret;
borg-backup = import ./borg-backup { inherit lib; }; borg-backup = import ./borg-backup { inherit lib; };

BIN
secrets/gandi-api-key.secret Normal file
View file

Binary file not shown.

2
services/bitwarden_rs.nix
View file

@ -60,7 +60,7 @@ in {
virtualHosts = { virtualHosts = {
"pass.${domain}" = { "pass.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

2
services/gitea/default.nix
View file

@ -91,7 +91,7 @@ in {
virtualHosts = { virtualHosts = {
"git.${domain}" = { "git.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

2
services/jellyfin.nix
View file

@ -24,7 +24,7 @@ in {
# Proxy to Jellyfin # Proxy to Jellyfin
services.nginx.virtualHosts."jellyfin.${domain}" = { services.nginx.virtualHosts."jellyfin.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${toString jellyfinPort}/"; proxyPass = "http://localhost:${toString jellyfinPort}/";

2
services/lohr.nix
View file

@ -65,7 +65,7 @@ in
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"lohr.${domain}" = { "lohr.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";

8
services/matrix.nix
View file

@ -171,7 +171,7 @@ in {
virtualHosts = { virtualHosts = {
"matrix.${domain}" = { "matrix.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations = locations =
let let
@ -199,7 +199,7 @@ in {
"matrix.${domain}_federation" = rec { "matrix.${domain}_federation" = rec {
forceSSL = true; forceSSL = true;
serverName = "matrix.${domain}"; serverName = "matrix.${domain}";
useACMEHost = serverName; useACMEHost = domain;
locations."/".return = "404"; locations."/".return = "404";
@ -216,7 +216,7 @@ in {
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let let
@ -243,7 +243,7 @@ in {
# Element Web app deployment # Element Web app deployment
# #
"chat.${domain}" = { "chat.${domain}" = {
enableACME = true; useACMEHost = domain;
forceSSL = true; forceSSL = true;
root = pkgs.element-web.override { root = pkgs.element-web.override {

2
services/miniflux.nix
View file

@ -50,7 +50,7 @@ in {
virtualHosts = { virtualHosts = {
"reader.${domain}" = { "reader.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

9
services/monitoring.nix
View file

@ -2,11 +2,12 @@
with lib; with lib;
let cfg = config.my.services.monitoring; let
cfg = config.my.services.monitoring;
domain = config.networking.domain;
in { in {
options.my.services.monitoring = { options.my.services.monitoring = {
enable = mkEnableOption "Enable monitoring"; enable = mkEnableOption "Enable monitoring";
useACME = mkEnableOption "Get HTTPS certs";
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
@ -76,8 +77,8 @@ in {
proxyWebsockets = true; proxyWebsockets = true;
}; };
forceSSL = cfg.useACME; forceSSL = true;
enableACME = cfg.useACME; useACMEHost = domain;
}; };
}; };
}; };

2
services/nextcloud.nix
View file

@ -66,7 +66,7 @@ in
virtualHosts = { virtualHosts = {
"cloud.${domain}" = { "cloud.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
}; };
}; };
}; };

20
services/nginx.nix
View file

@ -1,7 +1,7 @@
# Part of config shamelessly stolen from: # Part of config shamelessly stolen from:
# #
# https://github.com/delroth/infra.delroth.net # https://github.com/delroth/infra.delroth.net
{ config, lib, ... }: { config, lib, pkgs, ... }:
{ {
# Whenever something defines an nginx vhost, ensure that nginx defaults are # Whenever something defines an nginx vhost, ensure that nginx defaults are
# properly set. # properly set.
@ -17,5 +17,23 @@
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
email = "antoine97.martin@gmail.com";
certs =
let
domain = config.networking.domain;
gandiKey = config.my.secrets.gandiKey;
in {
"${domain}" = {
extraDomainNames = [ "*.${domain}" ];
dnsProvider = "gandiv5";
credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
group = "nginx";
};
};
};
}; };
} }

2
services/paperless.nix
View file

@ -23,7 +23,7 @@ in
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"paperless.${domain}" = { "paperless.${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";

2
services/transmission.nix
View file

@ -56,7 +56,7 @@ in
services.nginx.virtualHosts."${webuiDomain}" = { services.nginx.virtualHosts."${webuiDomain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = domain;
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
}; };